XXE attack in Shibboleth



Published: 2018-02-28
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-0489
CWE-ID CWE-611
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Shibboleth Service Provider
Server applications / Directory software, identity management

Vendor Shibboleth

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) XXE attack

EUVDB-ID: #VU10777

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0489

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform XXE attack.

The vulnerability exists due to an implementation flaw in the XMLTooling library. A remote attacker can add or modify specially crafted XML data, modify digital signatures of user attribute data and impersonate a user or obtain potentially sensitive information.

Mitigation

Update to version 2.6.1.4.

Vulnerable software versions

Shibboleth Service Provider: 2.5.0 - 2.6.0

External links

http://shibboleth.net/community/advisories/secadv_20180227.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###